App developers are weak link for Android security

来源:eetimes #Android# #android# #Security# #security# #ANDROID#
8431

NEW YORK – As the use of mobile apps on smartphones grows, trusting mobile apps not to expose your sensitive data has come into focus.

A recent report on Android apps vulnerability published by German university researchers has attracted much media attention. The study found that 1,074 apps out of 13,500 free Android apps analyzed had weak Secure Sockets Layer (SSL) implementation that could potentially make them vulnerable to attack. 

EE Times asked Mark Knight of Thales e-Security to break down the issues surrounding mobile app vulnerability. Thales is the large French military contractor which claims its data protection technology is deployed behind roughly 80 percent of ATMs installed in the world today.

When it comes to Android apps security issues, the weak link appears to be apps developers.

In the PC-only days, when developers sought to secure the link between browsers and Web sites using the SSL and Transport Layer Security (TLS) protocols, the imperfect schemes worked reasonably well in negotiating the best possible security, said Knight.

In an era of abundant mobile apps, however, the PC world’s security model has been thrown out of the window. Each mobile app is designed to connect directly with the app developer’s own server.

In other words, apps developers “are making security decisions,” Knight explained.

The German report found that 1,000 apps did not use basic security checks. Others contained basic errors in SSL implementation. Still others prompted apps to initiate calls without SSL protection, thus exposing personal information such as passwords and user names.

Although Knight said he didn't know whether Android security is worse than phones running other operating systems, he stressed that Android developers have a lot of control over security. They have a range of choices in implementing SSLs, allowing them to override some security measures.

The problem is that many smaller apps developers retain a “startup mentality” that doesn’t take security seriously, said Knight, adding that it’s very hard for consumers to know what steps app developers are taking to protect sAn opportunity?

While the German research report focused on "man-in-the-middle attacks" between apps and servers, Knight noted that vulnerabilities don't end there. Once the first layer of protection is removed from the communication linkage between apps and edge of the server, a bigger issue is how the data within a data center is protected.

"This can be turned into an opportunity for apps developers,” he noted.

Developers, for example, can select what they regard as the most sensitive data, then encrypt it. The encrypted data can then be sent via the cloud to a data center.

What about the cost of such security implementation? Is it simply too expensive for small apps developers? For apps, it’s a one-off cost, replied Knight. “There will be no per-device, per-instance cost.” For data centers, developers will need to install tamper-resistant hardware, thus insuring that keys cannot be stolen, he added.

Knight stressed that social networks and popular app developers are employing security experts and inserting layers of security. The security problem resides with small app developers who need to be educated, Knight said.

Still, even brands like Sony are not immune to hacking problems, as was demonstrated with Playstation services fiasco. Knight said Sony used its own encryption technology to protect data, instead of standard, certified encryption technology. But even trusted protection technology could turn into Swiss cheese because the security technology must be updated constantly.

TrustZone works?

Asked whether hardware technology embedded in mobile handsets called “Trust Zone" helps minimize security risks, Knight was non-committal.

ARM’s TrustZone technology, for example, is supposedly a “system-wide approach” to security that can be used on a mobile phone platform for a host of applications, including secure payment, digital rights management and Web-based services. TrustZone is tightly integrated with ARM processors and extends throughout the system via the AMBA AXI bus and TrustZone IP blocks, according to ARM.

Segregating “sensitive” apps by using TrustZone in a handset sounds like a good idea. But a user still has no way of knowing how those selected apps interact with each other within TrustedZone, said Knight.

Ultimately, the fact remains that user continue to rely on app developers to implement security in their services.


ensitive data.

责编:
来源:eetimes #Android# #android# #Security# #security# #ANDROID#
THE END
关闭
加载

PDF 加载中...